Critical Vlan - HP FlexFabric 5700 Series Security Configuration Manual
Hide thumbs
Also See for FlexFabric 5700 Series:
- Configuration manual (185 pages) ,
- Configuration manual (125 pages) ,
- Configuration manual (132 pages)
Table of Contents
Advertisement
Critical VLAN
The 802.1X critical VLAN on a port accommodates 802.1X users who have failed authentication
because none of the RADIUS servers in their ISP domain is reachable. Users in the critical VLAN can
access a limited set of network resources depending on the configuration.
The critical VLAN feature takes effect when 802.1X authentication is performed only through RADIUS
servers. If an 802.1X user fails local authentication after RADIUS authentication, the user is not assigned
to the critical VLAN. For more information about RADIUS configuration, see
The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control
method.
On a port that performs port-based access control:
•
Authentication status
A user that has not been assigned to any
VLAN fails 802.1X authentication because
all the RADIUS servers are unreachable.
A user in the 802.1X critical VLAN fails
authentication because all the RADIUS
servers are unreachable.
A user in the 802.1X critical VLAN fails
authentication for any other reasons
except for unreachable servers.
A user in the 802.1X critical VLAN passes
802.1X authentication.
A user in the 802.1X guest VLAN fails
authentication because all the RADIUS
servers are unreachable.
A user in the 802.1X Auth-Fail VLAN fails
authentication because all the RADIUS
servers are unreachable.
A user who has passed authentication fails
reauthentication because all the RADIUS
servers are unreachable, and the user is
logged out of the device.
•
On a port that performs MAC-based access control:
VLAN manipulation
The device assigns the critical VLAN to the port as the PVID.
The 802.1X user and all subsequent 802.1X users on this
port can access only resources in the 802.1X critical VLAN.
The critical VLAN is still the PVID of the port, and all 802.1X
users on this port are in this VLAN.
If an 802.1X Auth-Fail VLAN is configured, the PVID of the
port changes to the Auth-Fail VLAN ID. All 802.1X users on
this port are moved to the Auth-Fail VLAN.
If no 802.1X Auth-Fail VLAN is configured, the initial PVID
of the port is restored.
•
The device assigns the authorization VLAN of the user to
the port as the PVID, and it removes the port from the
802.1X critical VLAN. After the user logs off, the guest
VLAN ID changes to the PVID. If no 802.1X guest VLAN
is configured, the initial PVID of the port is restored.
•
If the authentication server (either the local access device
or a RADIUS server) does not authorize a VLAN, the
initial PVID of the port applies. The user and all
subsequent 802.1X users are assigned to this port VLAN.
After the user logs off, the PVID remains unchanged.
The device assigns the 802.1X critical VLAN to the port as
the PVID, and all 802.1X users on this port are in this VLAN.
The PVID of the port remains unchanged. All 802.1X users
on this port can access only resources in the 802.1X
Auth-Fail VLAN.
The device assigns the 802.1X critical VLAN to the port as
the PVID.
76
"Configuring
AAA."
- Quick Links:
- Configuring Local Users
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
